Terraform static analysis for RBI/DPDPA compliance requirements
Project description
terraform-rbi-compliance-scanner
A Terraform static analysis tool that checks infrastructure code against RBI cybersecurity guidance and India's DPDPA data protection requirements not just generic cloud security best practices.
Most open-source IaC scanners (Checkov, tfsec, Terrascan) check for general misconfigurations like "is this S3 bucket public." They don't know anything about India-specific regulatory requirements like data localization mandates for financial data. This tool fills that gap.
Why this exists
"Is my S3 bucket public?" and "does my S3 bucket meet Indian data localization requirements?" are different questions and only the first one is covered by existing scanning tools. This project encodes the second kind of question as automated, CI/CD-enforceable rules.
Quick start
git clone https://github.com/swayam-crypto/terraform-rbi-compliance-scanner.git
cd terraform-rbi-compliance-scanner
pip install -r requirements.txt
PYTHONPATH=src python -m compliance_scanner.cli --path ./examples/sample_infra
Example output:
3 compliance violation(s) found:
[CRITICAL] RBI-001 — aws_s3_bucket.customer_transactions
Resource 'customer_transactions' appears to hold sensitive financial/
customer data but is provisioned in 'us-east-1', outside India.
RBI data localization rules likely require ap-south-1 or ap-south-2.
Reference: RBI Cybersecurity Framework — Data Localization requirement
Rules implemented
See docs/RULES.md for the full list and what each one checks.
Architecture
See docs/ARCHITECTURE.md for how the parser, rule engine, and reporting layers fit together, and the reasoning behind the design choices.
Running tests
pip install -r requirements-dev.txt
PYTHONPATH=src python -m pytest tests/ -v
CI/CD integration
This repo includes a working GitHub Actions workflow
(.github/workflows/scan.yml) that runs the test suite and scans the
example infrastructure on every push and pull request, failing the
build if a critical violation is found. Point --path at your own
Terraform directory to use it on real infrastructure.
Status
Early-stage, actively being built. Currently implements 2 of a planned 6 rules. Not yet validated by a compliance professional — see the disclaimer in docs/RULES.md.
License
MIT
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file rbi_compliance_scanner-0.2.0.tar.gz.
File metadata
- Download URL: rbi_compliance_scanner-0.2.0.tar.gz
- Upload date:
- Size: 16.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
7dcf9d3c2098f97e7ee20a060535c22ef42b0b78c2aa0577fd9163c1e4a396f9
|
|
| MD5 |
7c1b20e547c93eac01551d45e095a9c0
|
|
| BLAKE2b-256 |
12da68ba5bbc54d274b7ede14995b0fbcff81605b077565494022b3eeb64a632
|
Provenance
The following attestation bundles were made for rbi_compliance_scanner-0.2.0.tar.gz:
Publisher:
publish.yml on swayam-crypto/terraform-rbi-compliance-scanner
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
rbi_compliance_scanner-0.2.0.tar.gz -
Subject digest:
7dcf9d3c2098f97e7ee20a060535c22ef42b0b78c2aa0577fd9163c1e4a396f9 - Sigstore transparency entry: 2139183789
- Sigstore integration time:
-
Permalink:
swayam-crypto/terraform-rbi-compliance-scanner@d8f42b8963f0d7a4d0c9726a91df01f1567d9d27 -
Branch / Tag:
refs/heads/main - Owner: https://github.com/swayam-crypto
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@d8f42b8963f0d7a4d0c9726a91df01f1567d9d27 -
Trigger Event:
workflow_dispatch
-
Statement type:
File details
Details for the file rbi_compliance_scanner-0.2.0-py3-none-any.whl.
File metadata
- Download URL: rbi_compliance_scanner-0.2.0-py3-none-any.whl
- Upload date:
- Size: 21.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
19aa5ee2cf9399d4eb04bd4218e50c8c352bc71f0e021d032b6dcf302010700c
|
|
| MD5 |
0fc173feb1c27a832a5977e8c5abd561
|
|
| BLAKE2b-256 |
b012a13050183636ccdfad274d8af8ec9479f7533583bf88c19b89d762d96eed
|
Provenance
The following attestation bundles were made for rbi_compliance_scanner-0.2.0-py3-none-any.whl:
Publisher:
publish.yml on swayam-crypto/terraform-rbi-compliance-scanner
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
rbi_compliance_scanner-0.2.0-py3-none-any.whl -
Subject digest:
19aa5ee2cf9399d4eb04bd4218e50c8c352bc71f0e021d032b6dcf302010700c - Sigstore transparency entry: 2139183829
- Sigstore integration time:
-
Permalink:
swayam-crypto/terraform-rbi-compliance-scanner@d8f42b8963f0d7a4d0c9726a91df01f1567d9d27 -
Branch / Tag:
refs/heads/main - Owner: https://github.com/swayam-crypto
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@d8f42b8963f0d7a4d0c9726a91df01f1567d9d27 -
Trigger Event:
workflow_dispatch
-
Statement type: